Trisul Network Analytics Blog

Tech tips and tricks from the world of network traffic and security monitoring

The ICSI Certificate Notary project provides a public DNS service where you can validate SSL certificates against what it has seen. All you have to do is send a DNSTXT request for {sha1-of-DER-cert}.notary.icsi.berkeley.edu and deal with the results.

NXDOMAIN → this is a never before seen certificate

TXT → cert seen. If validate=1 it has also been validated upto root

Let us use the SSL Cert resources and check each one against the notary. This kind of bulk checking begs for automation and there is where the TRP shines. Using a tiny bit of Ruby and the trisulrp and dnsruby gems we have a very neat way to use the DNS service.